Building a Threat-Intel Pipeline: KEV + EPSS in Production
Six explicit stages, a scorer that refuses to trust CVSS on its own, and what it actually takes to turn nineteen feeds into three digests a day without drowning in noise.
[ operator log — one-person security lab ]
Detection & response engineer, financial services · CISSP, GCIH · London, Ontario
I research AI-assisted security operations by building and running the whole stack myself — a 30-service lab, two Proxmox nodes, one operator — then publish the field notes, wrong turns included.
FEATURED
Six explicit stages, a scorer that refuses to trust CVSS on its own, and what it actually takes to turn nineteen feeds into three digests a day without drowning in noise.
Thirty-plus services, two Proxmox nodes, one operator, and the two outages that taught me more than any tutorial did.
24 pentest tools behind a Model Context Protocol server — CIDR allowlist, destructive-action confirmation, full audit trail.
WRITING INDEX
SOC architecture, threat hunting, detection-as-code, SOAR — six parts.
Standing up a real, multi-node research lab from nothing — six parts.
Field reports and topical write-ups, latest first.